“On Wednesday 16 November 2016, officers from the National Crime Agency arrested a 48-year old man from Orpington, Kent and a 39-year old man from Ashton-under-Lyne, Manchester on suspicion of computer misuse offences, and a 35-year old man from Moston, Manchester on suspicion of attempting to pervert the course of justice.

“All three have since been released on bail pending further enquiries. As investigations are on-going no further information will be provided at this time.”

The men are believed to have accessed a customer upgrade database for Three’s mobile network after they compromised an employee’s login credentials. That database is said to have contained customers’ names, phone numbers, dates of birth, geolocation, and other personal information. It did not include any financial information.

The hackers then looked through customers’ accounts to determine if those members were approved for a device upgrade. For eight customers, they submitted an upgrade request with the intention of intercepting the devices before they reached the customers.

The UK telecommunications company confirmed the breach on 17 November, though it declined to say how many people might have been affected or whether the hackers stole any customers’ data. Sources close to the investigation, however, told The Telegraph that as many as six million customers’ information could be at risk.

Three’s statement reads as follows:

“Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.

“We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity.

“The investigation is ongoing and we have taken a number of steps to further strengthen our controls.

“In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system.

“This upgrade system does not include any customer payment, card information or bank account information.”

BBC News reports the company has strengthened its data security practices since the incident occurred and is currently in the process of contacting the eight affected victims.

News of this breach follows one month after the UK Information Commissioner’s Office (ICO) ordered TalkTalk, another UK telecommunications company, to pay a fine of £400,000 for a data breach that compromised the personal information of 157,000 customers in 2015.